This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. How do you think that goes down with his fellow hackers?

---

CAROLE THERIAULT. I think they love it.

---

GRAHAM CLULEY. They love it.

---

UNKNOWN. I've been holding this weight. I want to be authentic. I want to be me. Thank you so much. Smashing Security, episode 393: Who needs a laptop to hack when you have a Fire Stick? With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 393. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, we are joined today by a special guest. We haven't had a guest on for a while, have we?

---

CAROLE THERIAULT. It's been so long since we've had a guest, and I'm so thrilled that I don't have to just speak with you this week.

---

GRAHAM CLULEY. Oh, show me. Ladies and gentlemen, pleased to announce, yes, it's your maiden aunt's favourite, Mr. Thom Langford. Thom, you're still with us. That's great news.

---

THOM LANGFORD. I am. And it's so nice to be called special again.

---

CAROLE THERIAULT. We're very, very glad you're here, Thom. You're gonna give us a little bit of jolt of energy that we desperately need.

---

THOM LANGFORD. Well, yeah. Yeah.

---

GRAHAM CLULEY. Shall we?

---

THOM LANGFORD. I think so.

---

CAROLE THERIAULT. But first, let's thank this week's wonderful sponsors, 1Password, Vanta, and BlackBerry. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm gonna be explaining how a life and death emergency can lead to $14 million.

---

CAROLE THERIAULT. Okay, what about you, Thom?

---

THOM LANGFORD. I'm going to be talking about the dangers of being a cat owner.

---

CAROLE THERIAULT. And I'm going to be talking about 23andMe and you and you and you and you and you. Plus, we have a featured interview with Paul Fryer from BlackBerry, who's going to tell us how we can keep the lines of communication open even in the worst natural or man-made disasters. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, quick question for you. Did you have a job as a teenager? Thom, were you ever a teenager?

---

THOM LANGFORD. Yeah, a long time ago.

---

GRAHAM CLULEY. Right, yeah.

---

THOM LANGFORD. I did, as a late teenager. I worked in room service in a Park Lane hotel.

---

GRAHAM CLULEY. Oh la di da! Oh, you must have some stories regarding that.

---

THOM LANGFORD. Oh, I do.

---

GRAHAM CLULEY. Don't know how many shillings you were paid back then.

---

THOM LANGFORD. £110 a week, something like that.

---

GRAHAM CLULEY. Oh, right, okay. Wouldn't you have liked to have made $14 million?

---

THOM LANGFORD. A week? Or in total?

---

GRAHAM CLULEY. In total, in total. Don't be greedy, Thom.

---

THOM LANGFORD. Well, in total, I mean, it does dilute it a little bit, but yeah, I'd go for that.

---

GRAHAM CLULEY. What about you, Carole?

---

CAROLE THERIAULT. Yeah, of course, I worked my whole life. I worked from the age of 14. Got fired from my first job, actually. Was that when you worked for your dad? Yeah.

---

GRAHAM CLULEY. Well, I'm going to tell you today the story of one teenager actually living near us in Oxford, UK. His name's Aryan Kurtaj and how he made his fortune. And maybe we can all learn a lesson or two from that, albeit we may not want to follow in his footsteps. So in 2021, this youngster, he was about 16 years old. He was part of a hacking group that broke into Electronic Arts. They stole 780 gigabytes of data. And—

---

CAROLE THERIAULT. Whoa, okay. And this is right in the middle of the pandemic. So everyone else is sitting at home rocking, going, I'm so lonely, I'm so lonely, and I'm so lonely.

---

GRAHAM CLULEY. Maybe playing video games. And suddenly people are hacking the video games companies. And the stolen data was dumped online.

And it didn't actually take long for Kurtaj to be identified. His name was provided to the FBI, and we'll get a hint as to what was going on in the background a little bit later. But Kurtaj and others then hacked other companies, including BT, British Telecom, demanded a $4 million ransom. So, you know, it's pretty serious stuff, this. You know, it's not just defacement, it's not just a DDoS. This is stealing data, demanding money.

---

CAROLE THERIAULT. And going after some big dogs for the money as well, right?

---

GRAHAM CLULEY. Right. And they were finding ways to actually monetise this data which had been stolen. So victims, some of them found themselves SIM-swapped.

One of the victims was a guy called Daniel Shenton. He told the press how he landed at Heathrow Airport. He'd been on holiday in Mexico. And, right, he landed during the pandemic.

---

CAROLE THERIAULT. Nice.

---

GRAHAM CLULEY. January 2022, this was. So he landed at Heathrow. Turned on his mobile phone, wouldn't connect.

And he thought, well, that's a bit frustrating. Got himself a new SIM card, didn't work either. And eventually he managed to log into his Coinbase cryptocurrency account. And rather than find the $45,000 he was expecting to find in there, he actually found instead 52 pence.

---

CAROLE THERIAULT. Maybe you should just quickly explain what a SIM swap is, just for some of our listeners.

---

GRAHAM CLULEY. Right, so SIM swap is where hackers managed to trick a mobile phone company into thinking that they own a particular mobile phone number rather than you. So your mobile phone number is basically stolen from you, which means that when a company or service or an online account maybe texts you a message or sends you an authentication code, it doesn't go to your phone.

It now goes to the hacker's phone who somehow hijacked your phone number. And sometimes that's done with social engineering, where they ring up the phone company and say, "Oh, I've lost my phone. I need my phone number switched to this new SIM." Other times, they can actually have paid someone corrupt inside the phone company to assist them in doing this.

---

THOM LANGFORD. Yeah.

---

GRAHAM CLULEY. Perfect.

---

CAROLE THERIAULT. Very well said, Graham.

---

GRAHAM CLULEY. Thank you very much. Kurtaj was a member of a gang called Lapsus$. And do you remember Lapsus$?

---

CAROLE THERIAULT. Yeah, yeah, yeah.

---

THOM LANGFORD. Is this self-named or is this named by one of those companies that likes to pull random words out?

---

GRAHAM CLULEY. I think it was actually self-named, 'cause it was LastPass with a dollar sign on the end. And I can't believe any legitimate cybersecurity company would've created such an irritating name.

---

THOM LANGFORD. 'Cause that's proper hacker elite speak, isn't it?

---

GRAHAM CLULEY. Yes, exactly. You know, it's like, oh, let's put a dollar in there. One of the organizations they hacked was Brazil's Ministry of Health, and they deleted the country's database of COVID vaccinations.

---

THOM LANGFORD. That's outrageous. That really is outrageous.

---

GRAHAM CLULEY. I mean, it's just pure damage, isn't it, for the sake of it rather than anything else.

---

THOM LANGFORD. Shits and giggles and lots of actual harm. Yeah.

---

GRAHAM CLULEY. This guy, Kurtaj, November 2021, he took over a site called Doxpin. That wasn't because he hacked it. He bought the site.

So Doxpin, don't know if you've ever encountered it. It's a site where hackers publish each other's personal information. They publish each other's personal information to intimidate their rivals. So hackers don't always get along, right? And so you can understand that hackers have rivalries and hackers want to put down other hackers. So they find out about each other and then say, here's all the information about this hacker.

---

THOM LANGFORD. So it's like hacker Facebook.

---

GRAHAM CLULEY. Yes. Yeah. Or hacker LinkedIn. And there's all the information. And you're thinking, oh crumbs, there's my address. There's my photographs. Kurtaj bought this for $75,000. Not a bad little thing to buy yourself when you're 16 years old, which he was at the time.

---

CAROLE THERIAULT. A lot of wonga, but I guess he had a lot of chump change he could spend.

---

GRAHAM CLULEY. He was making money because of these cryptocurrency transactions.

---

THOM LANGFORD. Making coin, as the kids say.

---

GRAHAM CLULEY. Now, he took over the management of the site, but it turned out he wasn't very good at running it. Wasn't a very good manager. I'm sure some of us can identify with that as well.

---

CAROLE THERIAULT. I'm sure they could, Graham.

---

GRAHAM CLULEY. But people did— they didn't like him running the site. And eventually, he was convinced to sell it back to the original owners.

---

THOM LANGFORD. What?

---

GRAHAM CLULEY. So he sold it back to them. So, okay, you take it over then, if people don't like the way I'm running it. But this Kurtaj guy—

---

CAROLE THERIAULT. Took all the info.

---

GRAHAM CLULEY. Yeah, he downloaded the database of everyone's usernames, their passwords, their email addresses.

---

CAROLE THERIAULT. Of course he would!

---

GRAHAM CLULEY. What do you think he does?

---

CAROLE THERIAULT. Makes his own site.

---

GRAHAM CLULEY. Yeah, he publishes all this database of everyone who's a member of doxing. An absolute goldmine for cybercrime investigators.

---

CAROLE THERIAULT. Wow.

---

GRAHAM CLULEY. Now, how do you think that goes down with his fellow hackers?

---

CAROLE THERIAULT. I think they love it.

---

GRAHAM CLULEY. They love it.

---

CAROLE THERIAULT. I've been holding this weight. I want to be authentic. I want to be me. And you've pushed me over the brink. Thank you so much.

---

GRAHAM CLULEY. I hated being called Colostomy Bag Boy. I want my real name to be out there.

---

THOM LANGFORD. I think nothing speaks more like a petulant teenager than buying, then selling a hacker website, and then publishing everybody's details. I mean, that's just a teenager basically just grunting and saying, "Oh, you don't understand," and then slamming the door, but with money.

---

GRAHAM CLULEY. So unsurprisingly, the other hackers then published Kurtaj's own details, not just his email address, but also photos of him where he goes to school, his home address, where his family are, what his parents do.

---

CAROLE THERIAULT. Did he not think that was possible? Do you think it didn't even occur to him? I know he's 16. I know he's 16.

---

THOM LANGFORD. Teenager brain, you know.

---

GRAHAM CLULEY. Well, we'll be looking more into his brain later on.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. So he was then arrested by UK police for the BT hack, right? He got arrested in January 2022. They seized his phones, but because he's only 16, they release him, right? They can't put him in remand. You don't put young people that young typically into remand. And within a month, the Lapsus$ gang had hacked someone else. They'd hacked Nvidia, the chip people, the people who were behind all the cryptocurrency mining. They stole credentials for two of their contractors. They got past multifactor authentication, again, maybe by doing this SIM swap. They released 80 gigabytes of data. They demanded a ransom. And then they take on the big guns. They take on Microsoft, they hack Microsoft, they hack Samsung, and the list goes on and on and on. And one of the ways in which the hackers were able to break into accounts, one of the ways in which they're able to SIM swap people.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. And get past multifactor authentication was through these things called EDRs.

---

CAROLE THERIAULT. Mm, no idea what that is.

---

GRAHAM CLULEY. Okay, Emergency Data Requests. These are a legal mechanism through which law enforcement agencies, typically in the United States, can obtain information from social networks, telephone companies, internet service providers in life and death emergencies. Or the police claim there's going to be some terrorist activity or someone's going to die. We need a number now. We need these details now.

So, it's a way of fast-tracking rather than taking out a subpoena. It's a way of fast-tracking the information to get it out of companies.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. So, what the hackers did was they posed as police and law enforcement, go to the tech companies and say, we need the details, we need the phone number of this particular person, or who runs this website.

---

THOM LANGFORD. Was it two teenagers in a long police coat?

---

CAROLE THERIAULT. The one's on top of the shoulders of the other?

---

THOM LANGFORD. Yeah, exactly.

---

GRAHAM CLULEY. It's a bit like that.

---

THOM LANGFORD. We are the police doing the business.

---

GRAHAM CLULEY. And in some cases, they had actually hacked the police accounts in order to send the messages through the police's own portal to these tech companies. So to the tech companies, it really looked like it was legitimate.

And so they were handing over the information in a quick fashion. And with that, they were then able to trick the cell phone company, as we described, into letting them grab the SIM number.

---

CAROLE THERIAULT. There must have been warrants involved and stuff. I mean, it's the panic thing that stops companies from actually doing their due diligence.

---

THOM LANGFORD. It's the emergency.

---

GRAHAM CLULEY. There's a bomb which has been planted.

---

CAROLE THERIAULT. We don't have time for warrants. Give us everything.

---

GRAHAM CLULEY. Imagine Bruce Willis, right? It's that kind of situation.

---

CAROLE THERIAULT. My husband would swoon.

---

GRAHAM CLULEY. Thom Cruise in Mission: Impossible. He doesn't bother with subpoenas and the paperwork.

---

CAROLE THERIAULT. Comes down from the sky.

---

GRAHAM CLULEY. Jack Bauer. Mr. President, I need to speak to the president.

---

THOM LANGFORD. Paul Blart, the mall cop.

---

GRAHAM CLULEY. So, the FBI right now says there's been a huge rise in the number of underground forum posts, which are offering to coach people on how to steal data through these fraudulent emergency data requests. For as little as $100, you can find out how to do this.

And the hackers are loving it. And this is one of the things that the Lapsus$ gang were doing. They were even offering $20,000 a week to employees of mobile phone companies who would help them take over mobile phone numbers.

---

CAROLE THERIAULT. Oh my God.

---

THOM LANGFORD. Well, that beats £110 a week.

---

GRAHAM CLULEY. So, the police arrested Kurtaj again, right? They've arrested him once, and then these other companies have been hacked.

---

CAROLE THERIAULT. And how old is he now? 17 with peach fuzz.

---

GRAHAM CLULEY. I think he's not quite 17 yet, but yeah, he's still very young. He's said to have amassed a bitcoin fortune worth approximately $14 million.

By now, that would be worth a lot more. And his dad was actually interviewed by the press at the time, and they said, we know we're hoping to keep him off computers. He's never talked about hacking. He is very good on computers, spends a lot of time on them. I always thought he was playing games. He said, we're gonna try to stop him from going on computers. And so he was released.

---

CAROLE THERIAULT. Surely, surely. Okay, okay. It's so weird. I would just assume that as part of his arrest, it would be, yeah, not allowed on computers, dude. For obvious reasons. Touch one and you're in jail.

---

THOM LANGFORD. He needs it for his schoolwork.

---

GRAHAM CLULEY. He's been released again on condition he stays off computers. But remember, he was doxxed. And over the next few months, someone threw bricks through the window of his family home just outside Oxford.

His mother's car was smashed up. And this is a weird thing: a bag of chicken was mysteriously delivered to his house.

---

THOM LANGFORD. You sure it wasn't Deliveroo?

---

GRAHAM CLULEY. Exactly. It could have been Uber Eats, couldn't it?

---

THOM LANGFORD. Yeah, exactly. A KFC delivery. I mean—

---

GRAHAM CLULEY. There was even said to be a plot from hackers to steal crypto from him. So the police decide he needs protection, because even though he's suspected of being up to no good, he needs protection from other criminals.

And so he was booked into the Travelodge in—

---

THOM LANGFORD. Okay, so now we know where the Oxfordshire Police Service put people when they want to protect them.

---

CAROLE THERIAULT. Yeah. People think this is a nice, sleepy old county, Oxfordshire, but actually, look what's going on.

---

GRAHAM CLULEY. Thereafter, Uber got hacked. I don't know if it's about the chicken delivery. Their internal Slack got hacked—someone posted a link to an erect penis to their Slack.

Ew. And then a couple of days later, Rockstar Games, the makers of Grand Theft Auto—someone stole clips from them for Grand Theft Auto 6, which hasn't been released yet.

---

GRAHAM CLULEY. So the police are thinking, what is going on? So they go and visit him at the Travelodge in room—this tickled me—the room number was M15.

They put him in the MI5.

---

CAROLE THERIAULT. You've done your due diligence on this story, right?

---

GRAHAM CLULEY. I have, I have. I actually found out which Travelodge it was—all I had was a photograph. I did a reverse Google image search and found out it was the Travelodge.

Now, they didn't find a computer with him, but they found an Amazon Fire Stick plugged into his TV and a keyboard and mouse. And what he'd done is to the Fire Stick, he'd downloaded the Silk Browser, and from there he'd been able to hack.

---

GRAHAM CLULEY. You've got to admire, in some ways, this guy's tenacity.

---

CAROLE THERIAULT. Or he's completely addicted.

---

THOM LANGFORD. I was going to say, yeah, he's addicted, isn't he? He's absolutely addicted.

---

CAROLE THERIAULT. He doesn't know what to do, and he's smart enough to know all the workarounds. And he's too young to, you know.

---

GRAHAM CLULEY. And his parents haven't convinced him, and these multiple arrests haven't stopped him. So he was arrested again, of course, and he did have his day in court.

The judge heard medical evidence which said that he was highly autistic and that he didn't understand the difference between good and bad. And in fact, the jury were ordered not to adjudicate as to whether he had intended to commit crime or not—they said he wasn't capable of making that decision.

---

GRAHAM CLULEY. They only had to determine whether he had committed the alleged acts.

---

THOM LANGFORD. Well, he knew that $14 million in bitcoin was good.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. And his defence team, they argued, well, releasing the GTA 6 trailer—the video game trailer—ahead of time, that actually helped with the promotion of the game. And so it hadn't caused them any harm.

The games developers, Rockstar Games, they said, "It cost us $5 million, actually."

---

THOM LANGFORD. Yeah.

---

GRAHAM CLULEY. The end result is, he has been confined to a secure mental health ward. He's been put in a secure hospital indefinitely until doctors decide he's no longer a danger to the public. So, he's probably gonna be there for a while.

Interestingly, apparently the hospital ward does have computers in the common areas. Whether he's going to access them or not, who knows?

But it's an interesting case, isn't it? What should happen to people who have such severe autism they can't be kept off their computers?

They don't necessarily understand right and wrong. Was this a good way to deal with this guy or not?

I tend to think, well, in the absence of anything else, maybe this was the right thing to do with him. But obviously, companies and individuals have lost huge amounts of money as the result of this guy's actions.

---

THOM LANGFORD. He certainly needs some therapy. There's no doubt about it.

Whatever form that would help him here. But he also has to— you have to be held accountable to one degree or another.

---

CAROLE THERIAULT. How could the parents not notice if he has extreme severe autism?

---

GRAHAM CLULEY. He was attending a special needs school for many years. So I think there had been a lot of challenges with his upbringing.

His parents had split up, they had taken him out of school after there had been some violent incidents and trouble that, and then taken to this special needs school.

---

CAROLE THERIAULT. So here's some nice context at the end.

---

GRAHAM CLULEY. Well, I'm telling you about the crime, and then I'm telling you about him himself, mitigating circumstances. So it's not always black and white, and it is complicated, and it is interesting how many people who have been charged, particularly teenagers who've got involved in cybercrime sometimes, have been determined to have autistic traits.

---

THOM LANGFORD. Well, Marcus Hutchins, for instance. Is it Asperger's he has that was taken into account?

---

GRAHAM CLULEY. Right, yeah.

---

CAROLE THERIAULT. But not everyone with autism with technical traits goes down this type of route.

---

THOM LANGFORD. No. At all, right?

---

GRAHAM CLULEY. No, some of them start cybersecurity podcasts, don't they?

---

THOM LANGFORD. Yes, they do.

---

GRAHAM CLULEY. Thom, what's your story for us this week?

---

THOM LANGFORD. So, either of you a lover of cats?

---

GRAHAM CLULEY. Oh, I don't have a cat at the moment. I have had cats. I cats.

---

CAROLE THERIAULT. Oh, I love cats. Cats are cool.

---

THOM LANGFORD. Cats are cool. Absolutely. And Bengal cats, the most regal of cats.

---

GRAHAM CLULEY. What are Bengal cats? Just give me an idea of what they are.

---

CAROLE THERIAULT. I can tell you, because my cat has got a slight Bengal thing. They tend to have spots.

They look leopardy. They're very long and they're very strong.

So they can actually jump really high and they can kick the butt out of most cats. Apparently, they're one of the only cats that are semi-feral.

So they're very difficult to tame.

---

THOM LANGFORD. And they can make a banging curry.

---

GRAHAM CLULEY. As an ingredient.

---

THOM LANGFORD. So, if you're in Australia, you might want to find out, 'cause Australia's got all sorts of weird rules when it comes to its flora and fauna and animals and all that sort of thing. But you might want to know if it's legal to own a Bengal cat in Australia or if you need a license for it.

So what might one type into Google in that case? So things maybe, are Bengal cats legal in Australia?

Or even, do you need a license to own a Bengal cat in Australia? And you would get some responses back, right?

And you'd click on said responses and do what it says to find out. So apparently, this being a cybersecurity podcast, not a cat podcast, apparently—

---

GRAHAM CLULEY. What's the pity?

---

THOM LANGFORD. Yes, exactly. Criminals out there have been using a kit called DootLoader, which manipulates search engine optimization, SEO. And this is— SEO is what companies use to basically try and get their products as high as possible in Google or DuckDuckGo's or even Bing's responses.

---

CAROLE THERIAULT. There's a myriad of ways of doing it. Keywords, paying money, all kinds of stuff.

---

THOM LANGFORD. It's as much technology as it is dark art.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. You know, and it's one of the worst things on the internet, really, isn't it?

---

THOM LANGFORD. That's right.

---

GRAHAM CLULEY. Because it's just horrible.

---

THOM LANGFORD. It's a constant zero-sum game at the end of the day.

---

GRAHAM CLULEY. The only worse thing than messing around with SEO is to meet an SEO consultant. It's just, oh, because how do you know they're an SEO consultant? Because they keep saying the same word over and over again and synonyms.

---

THOM LANGFORD. Exactly.

---

GRAHAM CLULEY. Yes, exactly.

---

THOM LANGFORD. So what this does is when people search specifically for Bengal cats in Australia, etc., etc., a specific series of links are marked very highly in the SEO. And so victims are often enticed into clicking on these links, which are disguised as legitimate marketing or legitimate Google searches.

---

GRAHAM CLULEY. Yeah.

---

THOM LANGFORD. But it's actually malicious adware and it directs them to a compromised website that hosts a malicious payload masquerading as the desired file. So it might say, download this handy document to find out about—

---

CAROLE THERIAULT. Is this in the sponsored area typically of searches or just near the top of a normal link?

---

THOM LANGFORD. I think it's just near the top. I think sponsored, you actually have to hand money over, right?

---

CAROLE THERIAULT. Exactly right. So it's just sitting there as, this is the best result for your request. This is the number one response that Google or whatever search engine you're using has.

---

THOM LANGFORD. Now, if they do go to that compromised website and download a file because here's your handy cut out and keep or fill in this application form for your, you know, much-loved Bengal cat, etc. This payload is delivered and it's a malware that sits on your machine, but nothing happens initially. But if that malware remains there undetected for a while, it then goes on and downloads a second stage payload known as the Gootkit. I just love these names, which is a highly evasive information stealer and remote access Trojan, or RAT. And what it does is it establishes a persistent foothold on the user's computer and network environment and anything else it can reach out and talk to.

---

GRAHAM CLULEY. So in your desire for a cat, you've ended up with a rat.

---

THOM LANGFORD. Indeed. Indeed. I see what you've done there, Graham.

---

GRAHAM CLULEY. Thank you very much.

---

THOM LANGFORD. I can tell why you're a professional.

---

CAROLE THERIAULT. I think it was very good, Graham.

---

THOM LANGFORD. Yeah, of course.

---

PAUL FRYER. Thank you.

---

THOM LANGFORD. Thank you. But this Gootkit can then be used to deploy ransomware or other tools, including drumroll, Cobalt Strike for follow-on exploitation. So what I find absolutely fascinating about this is, is this the tip of the iceberg or is there a criminal who just happens to love Bengal cats and finds it highly amusing that when people search for Bengal cats in Australia, that he's trying to compromise their machines.

---

GRAHAM CLULEY. Or you're thinking of a Blofeld type.

---

THOM LANGFORD. Exactly. Or is it a cat breeder who's been spurned by the cat breeding community and wants to spread some kind of awful cat-based or rat-based malware out there? It's either very, very specific or utterly random.

And I think it's going to take a little while for us to find out. Now, I looked at the Sophos website that actually broke this story and I got lost.

I did not understand half the stuff they were talking about. They were way above my technology grades. But someone has put a vast amount of effort into this to try and use potential Bengal cat owners in Australia's computers to launch ransomware attacks elsewhere in the network.

---

GRAHAM CLULEY. Now, they could change it easily from Bengal cats, couldn't they?

---

CAROLE THERIAULT. Well, they could, sure.

---

GRAHAM CLULEY. They could, of course.

---

THOM LANGFORD. Yeah, absolutely.

---

GRAHAM CLULEY. I'm thinking if I was targeting you, Thom, for instance, I'd choose some sort of Lego lure.

---

THOM LANGFORD. Yeah, that's true.

---

GRAHAM CLULEY. 1970s space Lego. Yeah.

---

CAROLE THERIAULT. I would choose something else, but nothing I would mention on the show.

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Let's say hello to Uncle Anton, okay? Uncle Anton, once retired, got to spend all his free time looking up into his family history, his family tree and all that, and was thrilled when he learned about genetic testing companies, 'cause they could help him find long-lost family.

So he signs up for one of repute, 23andMe. And to make sure he remembered his login, he cleverly used his trusted username and password, Antoinette123 and Antoinette321, you know?

And sent off his DNA and eagerly awaited the result to arrive. He wanted to know, was his weird obsession with dogs actually in his DNA?

Or which side of his family rewarded him with baldness at age 29. So 23andMe have this amazing feature called DNA Relative Finder, and it's included in the 23andMe kit, which also includes ancestry reports, family tree, and trait reports.

And the idea, or what they sell it as, is you get personalized genetic insights to take action on your health. People like Anton connect with distant relatives, including his niece, who I'll call DeMarie.

Now, DeMarie works in cybersecurity and has never gone on these sites, right? Because she sees this as a security issue.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. But through Uncle Anton's family investigations—

---

THOM LANGFORD. You're using my pet name again.

---

CAROLE THERIAULT. Some genetic and health history data of DeMarie became available on the site. DeMarie, having never accessed the genetic testing site, was none the wiser.

She doesn't know.

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. Until she gets a message on her socials from some stranger saying, "Hey, cuz, we're related." So we've talked about 23andMe before, about a year ago, in fact.

Do you guys remember why we brought it up? Because, Thom, you must remember, you listen to every episode.

---

THOM LANGFORD. It was the data was stolen, wasn't it?

---

CAROLE THERIAULT. Correct.

---

GRAHAM CLULEY. And there was a problem with this particular part of 23andMe, wasn't there? This thing which allowed you to connect with other people.

---

THOM LANGFORD. It's quite invasive.

---

GRAHAM CLULEY. Yeah, it was a way in which people were able to find out information about other people. So even if they hacked one account, they're then able to grab information about other people too.

---

THOM LANGFORD. A bit like Facebook's shadow database of people who aren't on Facebook.

---

CAROLE THERIAULT. Exactly. Yeah, so let me just go back.

Yes, they experienced a big data breach. Loads of user data was leaked and appeared on breach forums.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And it was attributed to credential stuffing. So basically Anton's password and username weren't that difficult to crack. And he'd also used them on many other sites across the web.

So not only was Uncle Anton's data compromised, but people connected to him who hadn't shared their DNA with 23andMe, people like Demory, were also at risk. Now at the time, 23andMe said, look, users, could you just not reuse passwords? Use some multifactor authentication. You know, this wouldn't have happened otherwise.

---

GRAHAM CLULEY. It's all your fault, you dumb users. You're the ones who've handled this badly.

---

CAROLE THERIAULT. Yeah, exactly. But last month, 23andMe was made to pay up for this breach.

And one of the issues was that 23andMe seemed to have failed to alert customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to specifically target them and then posted their information for sale on the dark web. So there's loads of links in the show notes if you want to read more about this, listeners. But in short, 23andMe were asked to pay $30 million for failing to protect the privacy of 6.9 million people whose personal information was exposed in the data breach last year. 1.5 million of those were never customers of 23andMe.

---

THOM LANGFORD. Wow.

---

CAROLE THERIAULT. So people like Demory. But that's not the end of the story.

Because as a result of this entire fiasco, 23andMe are feeling the financial pinch.

---

PAUL FRYER. Yeah.

---

CAROLE THERIAULT. And it's more than a pinch. It's more a wallop across the fat chops because the share price has fallen more than 70% this year.

In September, 7 of 23andMe's 8-strong board resigned, citing they had not received a satisfactory buyout. And just today, the day of recording, DNA testing site 23andMe is to lay off 40% of its workers. Or 200 employees as it struggles for survival. And also, it's halting work on therapies it's been developing, some for years.

---

GRAHAM CLULEY. I mean, it's not looking good for 23andMe at all, is it? It looks like they're facing bankruptcy. And you have to wonder, how are they going to make some money?

---

THOM LANGFORD. Either going to sell themselves, in which case the data goes to someone else who can then start changing things, or they're going to sell the data.

---

GRAHAM CLULEY. Yep.

---

CAROLE THERIAULT. This is permanent information. DNA stuff. It's not stuff you can actually mess around with and change up.

---

GRAHAM CLULEY. You can't change your DNA like you can change your password.

---

CAROLE THERIAULT. And who might this be very valuable for? For example, authorities would love this information, wouldn't they?

---

THOM LANGFORD. Health insurance companies.

---

CAROLE THERIAULT. Health insurance companies would love this information. Big Pharma.

---

GRAHAM CLULEY. What about an evil enemy state which was developing a biological weapon who wanted to knockout...

---

THOM LANGFORD. Podcasters.

---

GRAHAM CLULEY. I'm getting all a bit James Bond with this. I'm getting conspiratorial.

---

CAROLE THERIAULT. But here, this is the big clincher for me. Unlike medical information, the type of genetic data collected by companies like 23andMe are not covered by HIPAA, limiting legal recourse for affected users.

---

THOM LANGFORD. How is that not covered by HIPAA? It's the most personal of medical information, right?

---

CAROLE THERIAULT. And this was based on a very recent article just in The Atlantic. Again, links in the show notes.

So apparently 23andMe does comply with GDPR in the EU, which has stricter privacy protections and heavy penalties for breaches. And can I just say, as a final word, you gotta love the GDPR, right? Warts and all. I know there's a few warts in it, but you gotta love the GDPR.

---

GRAHAM CLULEY. So for all you naysayers out there... And next time someone invites you to spit into a test tube and put it in the box to them, maybe think twice.

---

THOM LANGFORD. That's just a Tuesday for me.

---

CAROLE THERIAULT. Yeah, but can you imagine, I don't know, I was thinking about that. You're a bit of a paranoid sort. You may not want your DNA to go anywhere, right? So when you go over to a friend's house and you're, nope, not drinking anything.

---

THOM LANGFORD. I'm bringing my own glass.

---

CAROLE THERIAULT. I brought my own glass. Wouldn't it be nice to have secure communications through a critical event, be it a cyberattack, an extreme weather event, or even civil unrest? Wouldn't it be nice to know that you were communicating to the right people so you can deploy resources to areas where they are most needed?

And wouldn't it be nice to have all this delivered out-of-band so there is continued communication even if your own infrastructure is compromised? The answer is yes. Yes, it would.

Say hello to BlackBerry's SecuSuite. Certified to meet the highest security requirements, SecuSuite protects against threats to enterprise and local and national security by enabling secure communications on conventional mobile devices.

With BlackBerry SecuSuite, employees can make secure phone calls and exchange secure messages, including group chats, on the devices that they already carry. How cool is that? Find out more at smashingsecurity.com/blackberry. And thanks to BlackBerry for sponsoring the show.

---

GRAHAM CLULEY. Whether you're starting or scaling your company's security program, demonstrating top-notch security practice and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time.

Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.

Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.

So my next question is: How do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management.

1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing.

That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.

And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

THOM LANGFORD. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the, this is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.

It doesn't have to be security-related necessarily. Better not be.

Well, my pick of the week this week is not security-related. I have to thank one of our listeners, Dutch listener Willem, brought this to my attention.

---

CAROLE THERIAULT. Yay, thanks Willem.

---

GRAHAM CLULEY. It is a website called Y-T-C-H, YTCH dot XYZ. There, that's easy to remember. And this is— well, imagine what YouTube would be like if it actually mimicked what it was like to turn on your television back in the 1980s.

Just had a handful of channels. You could just change between them. You couldn't stream anything instantly. There was no TV on demand. That is what this website is like. Now, guys, I sent you the link before the podcast so you could try it out. Thom, what did you think?

---

THOM LANGFORD. Do you know what? I was really confused at first, which is a fairly normal state of being for me. But nonetheless, I thought this is really quite cool. I could see myself basically spending hours clicking the channel button every 2 to 3 minutes.

---

CAROLE THERIAULT. And so is it just tied up with something like YouTube and it's just grabbing them at random or?

---

GRAHAM CLULEY. So it's got 39 channels. So there are channels about food, there's channels about comedy or cars or news and politics or classic movies, something like that. And you just change a channel and it'll be wherever it is during that video at that time, as though you were watching old-style TV. There's no ads. Oh my goodness. How wonderful is that?

---

THOM LANGFORD. It's like the BBC in the '70s.

---

GRAHAM CLULEY. There's a bit of static on the screen when you change the channel.

---

CAROLE THERIAULT. Oh, and you can choose your channel. I can— I'm looking at it now. You can say, oh, I'd like a food channel.

---

GRAHAM CLULEY. Oh, yeah.

---

CAROLE THERIAULT. But you can't click on it. You have to go to the channel.

---

GRAHAM CLULEY. Channel—

---

THOM LANGFORD. You actually have to go up and down. Yeah. You can't type in a number or anything like that, can you?

---

GRAHAM CLULEY. Personally, I love Channel 23, which is chess. 24 hours of chess up on there. Fantastic.

---

CAROLE THERIAULT. But—

---

THOM LANGFORD. Oh, Channel 9.

---

GRAHAM CLULEY. Channel 9 is cars. I can see on the list here right now. There's classical music.

---

CAROLE THERIAULT. That's a very good find, Graham.

---

GRAHAM CLULEY. Thanks to Willem for telling me about it.

---

CAROLE THERIAULT. Yeah.

---

THOM LANGFORD. Is this your way of saying that next week's podcast is going to be very late?

---

GRAHAM CLULEY. It's really enjoyable. YTCH, it's called. So YouTube channel, I guess it stands for, .xyz. Go and check it out. I think many people will actually really, really it.

---

CAROLE THERIAULT. Cute.

---

GRAHAM CLULEY. And that was my pick of the week. Thom, what's your pick of the week?

---

THOM LANGFORD. So cast your mind back, if you can, to 1975 in the UK. We've just had phenomenon that was 2001: A Space Odyssey. We had A Clockwork Orange. So all of these sort of futuristic—

---

CAROLE THERIAULT. Isn't it called A Clockwork, not Cockwork?

---

THOM LANGFORD. That's what I said, A Clockwork Orange. I think that was just you.

---

GRAHAM CLULEY. Carole, get your mind out of the gutter.

---

CAROLE THERIAULT. I've misheard.

---

THOM LANGFORD. You're thinking of the porn parody, aren't you? Anyway, so lots of slightly sort of post-apocalyptic feel or future feel going on. It's before Star Wars, crucially, and you've got the powerhouses that is Gerry and Sylvia Anderson.

---

GRAHAM CLULEY. Yes.

---

THOM LANGFORD. So if you don't know, Gerry and Sylvia Anderson are the creators, husband and wife, who created Thunderbirds, Stingray, Joe 90, Fireball XL5.

---

GRAHAM CLULEY. Captain Scarlet.

---

THOM LANGFORD. Captain Scarlet, yeah. What they got into was a TV show called Space: 1999.

---

CAROLE THERIAULT. Do you know this, Graham? I don't know this at all. You—

---

THOM LANGFORD. What?

---

GRAHAM CLULEY. Oh my goodness, you don't know? Oh, Carole!

---

THOM LANGFORD. Oh my god!

---

GRAHAM CLULEY. I love Space: 1999. It has the greatest theme tune of any TV programme ever, in my opinion.

---

THOM LANGFORD. So good. So good. Bottom line is, this is a classic British show that was— they were trying to sell it to the US. They had— the leads were American. Martin Landau and Barbara Bain. Big hitters of the '70s. The basic premise is, the moon gets knocked out of its orbit by a massive nuclear explosion, and is now just travelling through space.

---

GRAHAM CLULEY. September 13th, 1999.

---

THOM LANGFORD. September 13th, 1999, exactly. They get sent hurtling through space, and it's all about their weekly adventures, and who they come across, and the spectacular aliens, and their inner demons, and all that sort of stuff. Brilliant. A perfect periodical show. And they had 22 episodes per season. So plenty of content.

---

CAROLE THERIAULT. Yeah.

---

THOM LANGFORD. Now, the Moon City uniforms for the first series were created by an Austrian fashion designer, which tells you everything you need to know. Rudy Gernreich. And they were beige. So beige. So much beige everywhere. They were glorious.

---

GRAHAM CLULEY. It was great. I loved it. I loved the Moon City. The special effects and model work, the Eagle— the Eagles were the transporters, their main spaceships. They were awesome, weren't they?

---

THOM LANGFORD. As you'd expect, the model work was second to none. In fact, I think the Eagle transporter is beloved by many a man over a certain age. But the music you mentioned, Graham, was season 2.

---

GRAHAM CLULEY. Oh, was it?

---

THOM LANGFORD. Not season 1. Yeah.

---

GRAHAM CLULEY. Oh, really?

---

THOM LANGFORD. Well, from watching these, the ones that trigger my memory the most, season 2. Even though season 1 is so much better and so much more British, you know. So it's, you know— but anyway, because I've told friends and family this so much and they've just ignored me, I thought I'd just tell a captive audience. I love this.

---

PAUL FRYER. Yeah, it's superb.

---

THOM LANGFORD. It's dreadful as much as it is amazing. And that's part of the charm.

---

CAROLE THERIAULT. Gorgeous. Yeah, that's always a gorgeous combination.

---

THOM LANGFORD. Highly recommend it. So your pick of the week is Space 1999.

---

GRAHAM CLULEY. Very cool. Strong recommend from me as well. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Okay, so my pick of the week is an article that I read over the weekend. It's one of those, you know, when you watch The Office and then it gets really uncomfortable and I sometimes will hide behind the sofa just because I start clawing at my skin in discomfort. It was one of those. And it involves dolls, dolls for kids from toymaker Mattel.

Okay. And they're always putting out toys, these guys. And they recently put out a new keepsake celebrating the new Wicked movie that's coming out.

---

GRAHAM CLULEY. All right.

---

CAROLE THERIAULT. And I can tell that Thom's already seen this. So stay with me, Thom. Stay with me.

---

THOM LANGFORD. Yes.

---

CAROLE THERIAULT. So Wicked. So just for those who don't know, the idea of the movie Wicked is it's set in the Land of Oz years before Dorothy's arrival and has a green-skinned, much misunderstood young woman who will eventually become the Wicked Witch of the West. And Cynthia Erivo plays the witch Elphaba and Ariana Grande, the pop singer, plays Glinda, the popular blonde roommate. Okay, so all that is backstory, 'cause you have these two characters in a box, right? And they're being touted for Christmas. And you know, in these boxes, there's lots of information, and you can learn all about it at their website. So Graham, why don't you go to the website? So it's wicked.com.

---

GRAHAM CLULEY. Wicked.

---

CAROLE THERIAULT. W-I-C-K-E-D. Yeah, that's the name of the movie. Yeah, W-I-C-K-E-D. All right, I'm going there.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Access beyond this page is restricted to adults 18+ only. Oh, hang on. Hang on.

---

CAROLE THERIAULT. What's going on?

---

THOM LANGFORD. That's only because of the green skin. Just click, go through, Graham.

---

GRAHAM CLULEY. Are you sure? Okay, Thom, I'm going to trust you.

---

THOM LANGFORD. Yeah, you'll be fine.

---

GRAHAM CLULEY. Oh, hello. These look like— oh, watch. Surely, surely that's not the president's desk she's sitting on. It says Stormy Trump Sold. Hang on. These look like rather X-rated videos.

---

CAROLE THERIAULT. Right. So apparently there's another studio known as Wicked Pictures that is currently making pornographic parodies featuring various characters from the Marvel Cinematic Universe.

---

THOM LANGFORD. And also A Clockwork Orange as well.

---

CAROLE THERIAULT. And it was unfortunate, however, that packaging for the Elphaba and Glinda dolls for the Wicked movie—

---

GRAHAM CLULEY. They got the URL wrong.

---

CAROLE THERIAULT. Listed the web address for wicked.com, the homepage of Wicked Pictures, where the link should have been wickedmovie.com. So parents who may have bought these dolls for your children in the upcoming holiday season, you may want to get a little Sharpie and block that out.

A lesson to all though is be careful with links. Graham, you remember when we were working and a journalist sent us a link, you know, with questions and he obviously was maybe having a bit of adult fun at the same time that he was emailing us a list of questions because he got the link wrong. And we ended up on something that's—

---

GRAHAM CLULEY. Yeah, yeah. He sent us an unsavoury link, shall we say.

---

CAROLE THERIAULT. Anyway, moving on.

---

GRAHAM CLULEY. Now, Carole, you've been chatting to the folks at BlackBerry this week, haven't you?

---

CAROLE THERIAULT. Yes, I've been talking to Paul Fryer from BlackBerry. And, you know, when things can go really wrong, as we've seen so many times this year through wars and through natural disasters, they have a way to keep the communication lines open. Listen up.

So listeners, today we are speaking with Paul Fryer. He is a senior manager in the sales engineering team at BlackBerry, and we are going to talk about critical event management and how to do it right. Now, BlackBerry needs little introduction. It was first founded in 1984 as Research in Motion, or RIM.

BlackBerry is now a leader in cybersecurity, helps businesses, government agencies, and institutions of all sizes secure their digital worlds. Paul Fryer of BlackBerry, welcome to Smashing Security.

---

PAUL FRYER. Hi, Carole. Thanks so much for having me.

---

CAROLE THERIAULT. Thank you. So Paul, maybe we can just start and learn a bit about you. So how did you end up at BlackBerry?

---

PAUL FRYER. Of course, I've been in technology since I fell out of school. So not to give my age away, but that was late 1994.

And I've run in positions across all of support, infrastructure, network design, a couple of ISPs that I've been a lead in. And then it came to a point about 8 years ago where I really focused on cybersecurity as the next role for me.

Do sales engineering. I like designing things, I like building things, and I like driving success both individually and within teams. So I joined at that point, if I may use a competitor, I joined McAfee.

I ran their sales engineering for about 6 years and then I moved across to BlackBerry 2, 2 and a half years ago to do the same thing across the UK and parts of EMEA and the Nordics. Middle East, Africa, those sorts of areas.

---

CAROLE THERIAULT. Yeah, and it's a very exciting time for BlackBerry as well with, you know, not just cybersecurity, but also with the advent of AI security, right? So it's a fun time to be working in security, I think.

---

PAUL FRYER. AI is used a lot within the cybersecurity space.

---

CAROLE THERIAULT. Yeah.

---

PAUL FRYER. And what we try and put across to organizations, I know we're going off topic a little bit, but what we try and put across to organizations is, AI is not AI. Never the same just because we call it something. The way we approach AI from a predictive standpoint when it comes to our cybersecurity solutions is very unique and different in the market. So that's been a really interesting thing to drive across technology industries, government, public sector specifically, and other areas of industry.

---

CAROLE THERIAULT. Yeah, and I'm sure it plays a part as well in critical event management solutions. So, effectively, critical event management is often referred to by its acronym, CEM, and maybe you can help us understand what is a critical event? Like, is that a power outage or what is it?

---

PAUL FRYER. Great question. Critical event management has such broad spectrum of scope across where it can be applied. I'll give you 3 examples. So, let's take 3, an infrastructure, a technology, and then let's call it a people-focused event.

The recent Baltimore Bridge collapse, very high-profile infrastructure, as in physical infrastructure-based event, we were used to communicate across a number of different agencies to make sure that people were in the right place at the right time to respond to that incident and ensure no further loss of life or challenge to individuals in the area and make sure that we could collect real-time information about where those individuals were that were helping an event.

---

GRAHAM CLULEY. Mm-hmm.

---

PAUL FRYER. That's a really obvious critical event. It's very physical, it's very publicized. Secondly, a digital event.

Physical events don't have to be physical in nature. So a digital event, the recent widespread computer outage is a good example of this.

You've got millions of devices impacted globally. Within about 6 minutes of each other.

How do organizations that have got, let's say, 10, 20, 30,000 devices out there understand what the impact in their business is? How do they communicate with the workforce to find out who's impacted, who isn't impacted, and therefore where do we need to focus our effort to get these critical systems back up and running?

So we're talking about event management to recover critical systems within the organizations themselves. We gather real-time status updates, maintain secure and reliable communication. How do we do that if their systems are down?

---

CAROLE THERIAULT. Well, exactly, that was going to be my next question. I mean, how—

---

PAUL FRYER. Exactly right. So the elements we're talking about here with RCE ad hoc, as you mentioned just now, is that we are out of band. So we are out of band of their own infrastructure.

We're completely independent of them and therefore can be relied upon if they've got a digital incident that causes them an issue in communication across their infrastructure in the state. And then the third one, which is interesting, it's interesting to talk about this today, we're recording this podcast as the latest US election is just closing off.

But you'll recall the US Capitol insurrection back end of Donald Trump's last leadership, where there was the civil unrest in the area. And our solution set was actually used and pictured on the desktop of the office of the speaker in the House, in the Senate, advising people to exit the building because of civil unrest, where to go to, how to behave, and how to respond to make sure that people are led away to the right places.

That was done in multiple methods: email, SMS, telephone and desktop messaging. So we're able to advise people where to go, how to behave.

And we're two-way communication flow as well. So they have the opportunity to respond and say, yes, I've taken that action, or yes, I'm in that location.

And then again, they can quite quickly prioritize who they have to go and assist, help out, know where they are, roll call if anything, I suppose, know where people are, understand what's going on. And then respond to those that need help more immediately than others.

---

CAROLE THERIAULT. You know, it sounds to me a very useful tool, particularly today with so much environmental climate crisis changes that we're seeing with incidents happening all around the world. Plus, we have civil unrest in many geographies.

So this is something that could help. So tell me, how does BlackBerry CEM Solutions Ad Hoc— what gives you the edge over anybody else?

---

PAUL FRYER. I think there's a couple of things. I talked just now about the multiple communication chains.

So we are able to do a number of things. So we have an application on the phone, we have desktop app, as I talked about, but you don't have to have our software on your devices to receive a notification from our solution.

So we can do it over SMS. So we're able to use very lightweight common tools to communicate, make requests.

And again, this is two-way. So the SMS is two-way, so we can come back and give an answer to a question or a response back.

Secondly, I think it leads into a couple of other things that we have in the solution set, but with playbooks around events that we can trigger responses for, we can guide people into other areas of communication flow. We have secure communications, voice and data.

---

CAROLE THERIAULT. It's important.

---

PAUL FRYER. Yeah, it is important. So we have secure communications with SecureSuite, another BlackBerry company, and we can, as part of the playbook of an event, direct people to that communication platform to have the secure conversation if we're looking at certain security-level conversations that need to be had.

So we're not just restricting ourselves with that one application and applying it in one certain way, but we are able to guide around other methods to go and communicate with the team and respond to an incident that's happened.

---

CAROLE THERIAULT. I know, and I saw on your website that there were a few stats, and one of them was that BlackBerry CEM ad hoc solution organizations can quickly assess the scope in a matter of minutes. And I would imagine in a situation this, most companies or organizations would have people jumping around mad frogs.

You know, it'd be chaos. So this must be something that helps direct and give focus.

---

PAUL FRYER. Yeah, so that was my point around necessity of two-way communication.

---

CAROLE THERIAULT. Right.

---

PAUL FRYER. And when we have an event, we can send out a force-wide or organization-wide request. They can respond to that. And we quickly get a view of where people are in that risk level of the event.

Let's say it's an infrastructure event, like a bridge collapse, for example. Or maybe a fire alarm in an office building. We can quite quickly understand where people are, what the risk is, and respond to that, allow the organization to respond to that so much quicker.

---

CAROLE THERIAULT. I mean, it's unusual to have cybersecurity people on the show that actually have a life-saving component to their software.

---

PAUL FRYER. That's a really interesting point. And that's the reason why I talked about the worldwide computer outage. I also relate this back to, again, known communication. We're out of band. Let's take a ransomware attack or a hack of some sort.

People that are sitting on your infrastructure, having breached your network and listening to your communication flow. How do you respond to that confidently with communication tools in your infrastructure that the people that are holding you to ransom or hacking you to steal data could be watching? So you're having a conversation internally around what's our next step in resolving this issue.

Threat actors can be watching that and then second-guessing your next step. So the out-of-band element of a CEM platform means you can have those conversations outside of your infrastructure, knowing that the people that are either holding you to ransom or stealing your data can't see it and respond and change tack quicker than you can respond to what they're doing.

---

CAROLE THERIAULT. Yeah, incredible, because there's a lot of talk these days about deepfakes, and they often take advantage of situations. I mean, I've been in the industry for decades, and I remember even when we had Hurricane Katrina, immediately there were fake emails trying to raise money that were all going to fraudulent pockets. How do you work around that?

---

PAUL FRYER. Yeah, there's no better time for a phishing email than a crisis, is there?

---

GRAHAM CLULEY. That's for sure.

---

PAUL FRYER. Knowing who you're talking to is really important. There's one critical way we can deal with that. You mentioned at the top of this podcast that BlackBerry's been around for a number of years.

We are essentially a device management organization. Well, at core, we were obviously a handset manufacturer. We still maintain the security that that device gave you with a software set, a set of software solutions that allow you to manage applications and policy on mobile devices.

So we are able to also deploy these products using our secure management tooling such that you have every confidence that the person that sent you that message has valid access, is allowed to process that information, and is also monitored and audited based on the actions that are being taken. And that's really important around how we deliver security from know who you're talking to as well as how do we respond to that issue.

---

CAROLE THERIAULT. Yeah, especially in a crisis, you don't have time to go and double-check and triple-check everything at that time. You got to go, go, go. So you really want a trusted partner that knows what they're doing. And it sounds like BlackBerry might be a good one.

---

PAUL FRYER. Yeah, the tool has to be trusted. And data security and governance is a really strong part of what we try and deliver within BlackBerry.

---

CAROLE THERIAULT. Well, I got to say, I've been a fan of BlackBerry for a long time, ever since the BlackBerry Curve way back when. It was my favorite handset. To date, it's still my favorite handset. I wish it would come back. Is there anything you'd like to add for our listeners about Critical Event Management solution?

---

PAUL FRYER. So there's a lot of areas that this solution set is suitable for. I would suggest people look within their organization at the kind of things that they're concerned about, the kind of things they've got policies for around even the security of personnel, or they've got policies around if there's a data center outage or if there's a hack. What's your communication plan for that?

What's your — how do you disseminate data in a secure way and communicate with your, not only boots on the ground, but your exec staff to make sure you're making the right responses and the right comments to press as well as internally? Because high-profile organizations might have to make those sorts of statements. There is a place for solutions such as this. I would suggest that organizations understand what that looks like before the incident happens and they cannot communicate.

---

CAROLE THERIAULT. Yeah, right? You know, be prepared is a key component of all this.

---

PAUL FRYER. Absolutely.

---

CAROLE THERIAULT. Thank you so, so much, Paul. Listeners, if you would like to hear more, there is a ton, a veritable ton of information available for free to Smashing Security listeners on BlackBerry's CEM solution page ad hoc.

They have videos, solution briefs, demos, ransomware, all kinds of jazz. All you've got to do is visit smashingsecurity.com/blackberry. That's smashingsecurity.com/blackberry. And Paul Fryer, Senior Manager of Sales Engineering at BlackBerry, thank you so much for coming on and sharing your insight.

---

THOM LANGFORD. Thanks, Carole.

---

PAUL FRYER. It's been a pleasure.

---

GRAHAM CLULEY. Well, that just about wraps up the show for this week. Thanks very much, Thom, for joining us.

I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for people to do that?

---

THOM LANGFORD. Google me, darling. Google me. Sorry, DuckDuckGo me.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G, but Bluesky has allowed us to have a G, so you can also follow us there instead.

And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, Vanta, BlackBerry, and 1Password, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 392 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye.

---

THOM LANGFORD. Stay secure, my friends.

-- TRANSCRIPT ENDS --